Systems, methods and apparatus for secure peripheral communication

ABSTRACT

An interface device includes a communication interface and a secure element. The communication interface receives input data and a selection of one of a plurality of secure modes to secure the input data for transmission to a secure external computing device, such as a banking web server. The secure element secures the input data based on the secure mode that was selected. The secured input data is then transmitted to the secure external computing device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority from U.S. ProvisionalApplication 62/140,004, filed Mar. 30, 2015, which is incorporatedherein by reference.

INTRODUCTION

The security of user input on many computing devices, such as personalcomputers, is important in many scenarios such as online banking.Computing devices can vulnerable to multiple threat vectors, such asmalware, which may attempt to intercept or capture sensitive data inputby the user in these scenarios.

Malware is a term used to describe a variety of hostile or intrusivesoftware. Generally, malware is software used or created by attackers todisrupt computer operation, gather sensitive information, or gain accessto private computer systems. It can appear in the form of computer code,scripts, active content, or other software. The threat of malware iscontinuously increasing, as malware itself becomes more sophisticated,and the range of malicious purposes expands.

In response, many software-based solutions have been developed to combatthe threat of malware and to attempt to secure the personal computingdevices of users. Generally, these conventional software-based solutionsattempt to protect data within the computing device itself by blockingthe activity of malware, or by removing the malware. Some software-basedsolutions attempt to safeguard sensitive data through encryption andvarious software-enforced schemes intended to prevent access to thesensitive data. However, if a computing device is already infected withmalware, a software-based solution may be incapable of adequatelysafeguarding sensitive data. For instance, if malware is able tointercept raw data from a peripheral device, a software-basedanti-malware solution that operates in a web browser may not provide aneffective safeguard for the user's sensitive data.

DRAWINGS

For a better understanding of the various embodiments described herein,and to show more clearly how they may be carried into effect, referencewill now be made, by way of example only, to the accompanying drawingswhich show at least one exemplary embodiment, and in which:

FIG. 1 is a simplified block diagram of an example system in accordancewith some embodiments;

FIGS. 2A to 2D are data flow diagrams illustrating example modes ofoperation of a secure peripheral interface device in the system of FIG.1;

FIGS. 3A to 3C are example command flow diagrams for switching the modeof operation of a secure peripheral interface device in the system ofFIG. 1;

FIGS. 4A and 4B are example data flow diagrams for the transmission ofinput data by a secure peripheral interface device in the system of FIG.1; and

FIG. 5 is an example data flow diagram for the system of FIG. 1.

The skilled person in the art will understand that the drawings,described below, are for illustration purposes only. The drawings arenot intended to limit the scope of the applicants' teachings in any way.Further, where considered appropriate, reference numerals may berepeated among the figures to indicate corresponding or analogouselements.

DESCRIPTION OF VARIOUS EMBODIMENTS

The embodiments of the systems and methods described herein may beimplemented in hardware or software, or a combination of both. Theseembodiments may be implemented in computer programs executing onprogrammable computers, each computer including at least one processor,a data storage system (including volatile memory, non-volatile memory,other data storage elements or a combination thereof), and at least onecommunication interface.

Program code is applied to input data to perform the functions describedherein and to generate output information. The output information isapplied to one or more output devices.

Each program may be implemented in a high level procedural or objectoriented programming or scripting language, or both, to communicate witha computer system. However, alternatively the programs may beimplemented in assembly or machine language, if desired. The languagemay be a compiled or interpreted language. Each such computer programmay be stored on a storage media or a device (e.g., ROM, magnetic disk,optical disc), readable by a general or special purpose programmablecomputer, for configuring and operating the computer when the storagemedia or device is read by the computer to perform the proceduresdescribed herein. Embodiments of the system may also be considered to beimplemented as a non-transitory computer-readable storage medium,configured with a computer program, where the storage medium soconfigured causes a computer to operate in a specific and predefinedmanner to perform the functions described herein.

Furthermore, the systems and methods of the described embodiments arecapable of being distributed in a computer program product including aphysical, non-transitory computer readable medium that bears computerusable instructions for one or more processors. The medium may beprovided in various forms, including one or more diskettes, compactdisks, tapes, chips, magnetic and electronic storage media, and thelike. Non-transitory computer-readable media comprise allcomputer-readable media, with the exception being a transitory,propagating signal. The term non-transitory is not intended to excludecomputer readable media such as a volatile memory or RAM, where the datastored thereon is only temporarily stored. The computer useableinstructions may also be in various forms, including compiled andnon-compiled code.

The described systems, methods, and apparatus generally provide a secureperipheral interface device (e.g., hub) that protects or securessensitive data input from a peripheral device to a personal computingdevice before the input is received by the personal computing device,thus preventing access to the sensitive data by any malware that mayinfect the computing device.

In some embodiments, the secure peripheral interface device is aUniversal Serial Bus (USB) hub, although in other embodiments the secureperipheral interface device supports other peripheral connectionprotocols, such as Thunderbolt™ or the Apple Lightning™ interface. Thesecure peripheral interface device may be an external device to thecomputing device. However, in some embodiments, the secure peripheralinterface device may be provided within the enclosure or on the logicboard of a computing device, in which case it is a physically distinctintegrated circuit from the main processor and memory of the computingdevice. In particular, the secure peripheral interface device may be anapplication specific integrated circuit (ASIC) or field programmablegate array (FPGA) including its own dedicated processor and memory.

Accordingly, the secure peripheral interface device minimizes the risksof malware interception of sensitive data input by a user to aperipheral device, such as a keyboard, of a computing device.

Referring now to FIG. 1, there is illustrated a simplified block diagramof an example system in accordance with some embodiments.

In the illustrated embodiment, system 100 includes a computing device130, secure peripheral interface device (SPID) 110, a peripheral device120, a secure external computing device 140, and a network 150.

Computing device 130 is a personal computing device such as a personalcomputer, tablet computer, or smartphone. Computing device 130 has aprocessor, memory (volatile, non-volatile, or both), and at least onecommunication interface for transmitting and receiving data fromperipheral devices and other computing devices.

Secure external computing device 140 is a computing device such as aserver computer. Secure external computing device 140 also has aprocessor, memory and at least one communication interface. In thesecure communication contexts described herein, secure externalcomputing device 140 is the destination for sensitive data input by auser of computing device 130. For example, secure external computingdevice 140 may be an online banking web server, a virtual privatenetwork server, or some other computing device that may receivesensitive data from the user.

Computing device 130 and secure external computing device 140 arecommunicatively coupled by a network 150. Network 150 is a datacommunications network, such as the Internet. In some embodiments,network 150 may be omitted and computing device 130 and externalcomputing device 140 may be directly coupled, for example, via a datacommunications cable.

SPID 110 may include a processor, an internal memory and at least onecommunication interface, such as USB. SPID 110 may be an integratedmicrocontroller, for example. In the illustrated embodiment, SPID 110 isa USB hub implementing the USB 2.0 protocol. For clarity, SPID 110 isillustrated as a separate device, external to computing device 130.However, SPID 110 may be provided within the enclosure of computingdevice 130, as an FPGA or ASIC on a logic board, or the like.

SPID 110 can be implemented as a tamper-resistant device conforming tothe GlobalPlatform™ Trusted Execution Environment Secure Element (SE)specifications. Accordingly, SPID 110 is generally capable of performingthe functions associated with a Secure Element. Generally, a SE is ahardware-based device that provides tamper-resistance measures effectiveagainst software-based attacks, hardware-based attacks and side channelattacks, such as differential power analysis.

SPID 110 can operate in at least four different modes of operation—anormal mode, a sniffing mode, an obscuring mode and an encryptionmode—as described with reference to FIGS. 2A to 2D. Accordingly, SPID110 can accept control commands to switch between modes of operation.Control commands may originate from different sources, including aperipheral device, a computing device and a secure external computingdevice, as described with reference to FIG. 3.

In some circumstances, SPID 110 can store sensitive data to its internalmemory for later retrieval and transmission, as described with referenceto FIG. 4.

Referring to FIGS. 2A to 2D, SPID 110 is capable of operating in atleast four different modes: normal mode 210, sniffing mode 220,obscuring mode 230, and encryption mode 240.

Referring now to FIG. 2A, there is illustrated a data flow diagram for anormal mode 210. In a normal mode 210, SPID 110 operates in conventionalfashion as a USB hub device, without applying security controls. Normalmode 210 may be a default mode of operation for SPID 110.

In normal mode 210, input data is received at a peripheral device andtransmitted to SPID 110 at 311. At 312, the input data is transmittedfrom SPID 110 to computing device 130 in unmodified form.

Referring now to FIG. 2B, there is illustrated a data flow diagram for asniffing mode 220. In a sniffing mode 220, SPID 110 appears to operatein conventional fashion as a USB hub device. However, SPID 110 storesinput for possible later retrieval.

In a sniffing mode 220, input is received at a peripheral device andtransmitted to SPID 110 at 321. At 322, SPID 110 captures and storesunmodified input from peripheral device 120. Input data is storedsecurely in a memory of SPID 110, for example using Secure Elementstorage, for possible export and transmission to a secure externalcomputing device 140, as described with reference to FIG. 4.

At 323, SPID 110 transmits the input data to computing device 130 inunmodified form.

Referring now to FIG. 2C, there is illustrated a data flow diagram foran obscuring mode 230.

In an obscuring mode 230, SPID 110 captures all of the user input fromperipheral device 120 and obscures sensitive data in the input data. Forexample, sensitive data may be obscured by replacing all or a portion ofthe input data with pre-defined “blanking” data, such as asteriskcharacters. In another example, sensitive data may be obscured byreplacing the sensitive data with proxy data. Proxy data isnon-sensitive data that may be generated by SPID 110 and associated withthe sensitive data retained in memory.

Accordingly, in obscuring mode 230, input is received at a peripheraldevice and transmitted to SPID 110 at 331. At 332, SPID 110 captures andstores unmodified input from peripheral device 120. At 333, a processorof SPID 110 obscures the input data to generate secured input data,before transmitting the secured input data to computing device 130 at334.

When SPID 110 operates in obscuring mode 230, input data from peripheraldevice 120 is first processed before transmission to computing device130. That is, computing device 130 preferably does not receive theoriginal, unmodified input data that was entered via peripheral device120. Computing device 130 only receives the secured input data. Theunmodified input data is stored securely in a memory of SPID 110 forpossible export and transmission to a secure external computing device140, as described with reference to FIG. 4.

Referring now to FIG. 2D, there is illustrated a data flow diagram foran encryption mode 240. Encryption mode is generally similar toobscuring mode 230 of FIG. 2C. However, in encryption mode 240, SPID 110encrypts input data rather than obscuring the input data.

In an encryption mode 240, SPID 110 encrypts all of the user input fromperipheral device 120 and sends encrypted input to the computing device130. In an encryption mode 240, computing device 130 never sees actualuser input that was entered via peripheral device 120.

Accordingly, in encryption mode 240, input is received at a peripheraldevice and transmitted to SPID 110 at 341. At 342, a processor of SPID110 encrypts the input data to generate secured input data. Optionally,SPID 110 may store the input data or secured input data for laterretrieval.

At 343, SPID 110 transmits the secured input data to computing device130, which may transmit the secured input data to another device, suchas secure external computing device 140.

Accordingly, when SPID 110 operates in encryption mode 240, input datafrom peripheral device 120 is first processed and encrypted beforetransmission to computing device 130. That is, computing device 130 doesnot receive the original, unmodified input data that was entered viaperipheral device 120. Computing device 130 only receives the encrypted,secured input data.

Referring now to FIGS. 3A to 3C, there are illustrated example commandflow diagrams for switching the mode of operation of a SPID, such asSPID 110 of system 100.

SPID 110 can switch between different modes of operation in at leastthree different ways, making the process of securing sensitive dataeasier for the user.

Referring now to FIG. 3A in particular, there is illustrated aperipheral device command flow 410. In peripheral device command flow410, SPID 110 may initially be operating in normal mode 210. When a userdesires to secure data, a secure mode selection input may be provided atperipheral device 120, such as pressing a “secure” button on a keyboard.There may be several dedicated buttons to select the desired operationmode or, alternatively, a single button may be depressed multiple timesto cycle through multiple operation modes.

In response to the selection input, peripheral device 120 sends an entermode command to SPID 110, at 511. SPID 110 then enters the selectedsecured mode of operation.

When the entering of sensitive data has been completed, the user mayonce again provide an input at peripheral device 120 to exit from asecure mode. In response to the further selection input, peripheraldevice 120 transmits an exit mode command to SPID 110 at 512.Accordingly, SPID 110 enters normal mode 210.

Referring now to FIG. 3B in particular, there is illustrated a computingdevice command flow 420. Command flow 420 is generally analogous tocommand flow 410 of FIG. 3A, with computing device 130 taking the placeof peripheral device 120.

In computing device command flow 420, SPID 110 may initially beoperating in normal mode 210. A software program requesting a user'sauthentication credentials may determine that a secured data input entryis needed, and may generate an indication identifying the desiredsecured mode.

In response to the indication, computing device 130 transmits an entermode command to SPID 110, at 521. SPID 110 then enters the selectedsecured mode of operation.

When the entering of sensitive data has been completed, the softwareprogram may provide a further indication to exit from a secure mode. Inresponse to the further indication, computing device 130 transmits anexit mode command to SPID 110 at 522. Accordingly, SPID 110 entersnormal mode 210.

Referring now to FIG. 3C in particular, there is illustrated a secureexternal computing device command flow 430.

In secure external computing device command flow 430, computing device130 acts as a communication relay between SPID 110 and secure externalcomputing device 140. SPID 110 may initially be operating in normal mode210.

When secure external computing device 140 determines that a secured modeof data input should be used, the secure external computing device 140may establish a secure channel with SPID 110 at 531, using TransportLayer Security (TLS) or another suitable encryption protocol. The securechannel is established via computing device 130. Each of secure externalcomputing device 140 and SPID 110 control their respective endpoints ofthe secure channel and maintain their respective cryptographic keys.Accordingly, computing device 130 is unable to snoop or eavesdrop oncommunications in the secure channel.

Once the secure channel is established, secure external computing device140 transmits an enter mode command to SPID 110, at 532. SPID 110 thenenters the selected secured mode of operation.

While in the encryption mode, input data received at SPID 110 (e.g.,from peripheral device 120) may be directly transmitted to secureexternal computing device 140. Secure external computing device 140 mayreceive the input data and store or process the input data as needed.

For example, in the context of an authentication process where the inputdata is a user password, secure external computing device may receivethe password, verify that the password is correct and signal tocomputing device 130 that authentication was successful. The signal tocomputing device 130 may be transmitted out of band, that is, not withinthe secure channel established between SPID 110 and secure externalcomputing device 140.

When the entering of sensitive data has been completed, secure externalcomputing device 140 transmits an exit mode command to SPID 110 at 533.Accordingly, SPID 110 enters normal mode 210. The secure channel may beclosed at 534.

Referring now to FIGS. 4A and 4B, there are illustrated example dataflow diagrams for the transmission of input data from the SPID 110 to asecure external computing device. The transmitted input data may bestored input data.

Referring now to FIG. 4A in particular, there is illustrated a data flow610.

At 711, secure external computing device 140 establishes a securechannel with SPID 110, for example as described with reference to FIG.3C.

Upon establishment of the secure channel and obscuring mode ofoperation, SPID transmits the stored input data to secure externalcomputing device 140, at 712.

Once the transmission of the input data is complete, the secured mode ofoperation may be exited and the secure channel closed at 713.

Referring now to FIG. 4B in particular, there is illustrated a data flow620, which is generally similar to data flow 610 of FIG. 4A. Data flow620 introduces an additional layer of encryption, for added security.

At 721, secure external computing device 140 establishes a securechannel with SPID 110, for example as described herein with reference toFIG. 3C.

At 722, secure external computing device 140 generates and transmits ashared cryptographic key, such as a symmetric encryption key, to SPID110 for use during the secure channel session. Alternatively, SPID 110may generate and transmit the shared cryptographic key to secureexternal computing device 140.

SPID 110 encrypts the stored input data using the shared cryptographickey at 723, and transmits the encrypted data to secure externalcomputing device 140, at 724.

The secure channel may be closed at 725.

Referring now to FIG. 5, there is illustrated a data flow diagram for anexample system, such as system 100 of FIG. 1.

In the example of data flow 810, secure external computing device 140may be an online banking website and the input data may be a userpassword for authenticating the user with the online banking website.

A user may initially connect to secure external computing device 140using a web browser at computing device 130. Upon login, secure externalcomputing device 140 transmits an indication to computing device 130 at911, causing computing device 130 to display an instruction to the userto initiate an obscuring mode of operation at SPID 110.

In response, the user provides a selection input to peripheral device120, selecting the obscuring mode of operation. For example, theselection input may comprise one or more key presses of a keyboard, asdescribed herein.

Peripheral device 120 transmits a command to SPID 110 to enter theobscuring mode at 913.

Once the obscuring mode is activated, the user enters that password at990, which is transmitted to SPID 110 by peripheral device 120 at 914.

SPID 110 stores the input data at 915, and obscures the input data at916 to generate secured input data.

At 917, the obscured input data is transmitted to computing device 130,where it can be stored for later transmission, and may be displayed tothe user on a display of computing device 130.

Upon completing entry of the password, the user may provide a furtherselection input to return to the normal mode of operation, at 918.Accordingly, peripheral device 120 transmits a command to SPID 110 toenter the normal mode of operation at 919.

SPID 110 may further transmit an indication to computing device 130 thatthe obscuring mode has been exited at 921, signifying that the passwordentry is complete. Optionally, a separate indication may be used (e.g.,the user may click a “Submit Button” in the web browser) to indicate tocomputing device 130 that the data input (e.g., password) has beencompleted.

Computing device 130 transmits login information to secure externalcomputing device 140 at 922. The login information may include theobscured input data, or it may include an indication that the passwordhas been stored at SPID 110.

In response, secure external computing device 140 detects that obscuredinput data has been provided in lieu of the user's password, or that theindication has been received that the password is stored at SPID 110,and establishes a secure channel with SPID 110 at 923.

SPID 110 transmits the stored input data at 924, as described herein.The secure channel may be closed at 925.

Accordingly, sensitive input data, such as the user password, is onlysent in encrypted form, end-to-end between SPID 110 and secure externalcomputing device 140. Malware that may be present on computing device130 is not provided with an unobscured or unencrypted form of the inputdata.

It will be appreciated that numerous specific details are set forth inorder to provide a thorough understanding of the exemplary embodimentsdescribed herein. However, it will be understood by those of ordinaryskill in the art that the embodiments described herein may be practicedwithout these specific details. In other instances, well-known methods,procedures and components have not been described in detail so as not toobscure the embodiments described herein. Furthermore, this descriptionis not to be considered as limiting the scope of the embodimentsdescribed herein in any way, but rather as merely describingimplementation of the various embodiments described herein. The scope ofthe claims should not be limited by the preferred embodiments andexamples, but should be given the broadest interpretation consistentwith the description as a whole.

1. A method of securing input data from a peripheral device fortransmission to a secure external computing device, comprising:displaying, at a personal computing device, a request for user input;receiving, at the peripheral device, input data associated with therequest for user input; receiving, at the peripheral device, a securemode selection; transmitting the input data and the secure modeselection from the peripheral device to a secure element, wherein thesecure element is in communication with the peripheral device and thepersonal computing device via at least one communication interface;selecting, at the secure element, from a plurality of secure modes basedon the secure mode selection; securing, at the secure element, the inputdata based on the secure mode selection; storing the secured input datain a memory of the secure element; transmitting the secured input datafrom the secure element to the personal computing device; andtransmitting the secured input data from the personal computing deviceto the secure external computing device.
 2. The method of claim 1,wherein the input data comprises authentication data.
 3. The method ofclaim 1, wherein the plurality of secure modes comprise a sniffing mode,an encryption mode, and an obscuring mode.
 4. The method of claim 1,further comprising establishing a secure channel between the secureelement and the secure external computing device prior to transmittingthe secured input data from the secure element.
 5. An interface devicecomprising: at least one communication interface operable to communicatewith a plurality of devices; and a secure element comprising: a memory;and a processor configured to receive input data and a secure modeselection from one or more of the plurality of devices via the at leastone communication interface, wherein the processor is configured toselect from a plurality of secure modes based on the secure modeselection, secure the input data based on the secure mode, and store thesecured input data in the memory.
 6. The interface device of claim 5,wherein, based on the secure mode being an encryption mode, theprocessor is configured to encrypt the input data with an encryptionkey, store the encrypted data as the secured input data, and transmitthe encrypted data to a secure external computing device.
 7. Theinterface device of claim 5, wherein, based on the secure mode selectionbeing an obscuring mode, the processor is configured obscure the inputdata, transmit the obscured data to a computing device, and store theinput data as the secured input data.
 8. The interface device of claim7, wherein the processor is configured to establish a secure channelwith a secure external computing device and transmit the secured inputdata to the secure external computing device via the secure channel. 9.The interface device of claim 5, wherein the processor is configured,based on the secure mode being a sniffing mode, to store the input dataas the secured input data, establish a secure channel with a secureexternal computing device, and transmit the secured input data to thesecure external computing device via the secure channel.
 10. Theinterface device of claim 5, wherein the input data comprisesinformation for authenticating a user.
 11. The interface device of claim9, wherein the information for authenticating the user comprises a userpassword.
 12. The interface device of claim 5, wherein a first device ofthe plurality of devices comprises a peripheral device.
 13. A method ofsecuring input data at an interface device, comprising: receiving theinput data and a secure mode selection at one or more communicationinterfaces; selecting, at a secure element, from a plurality of securemodes based on the secure mode selection; securing, at the secureelement, the input data based on the secure mode.
 14. The method ofclaim 13, wherein securing the input data based on the secure modecomprises: encrypting the input data with an encryption key based on thesecure mode being an encryption mode; storing the encrypted data in amemory of the secured element; and transmitting the encrypted data to asecure external computing device.
 15. The method of claim 13, whereinsecuring the input data based on the secure mode comprises: obscuringthe input data based on the secure mode being an obscuring mode; storingthe input data in a memory of the secured element; and transmitting theobscured data to a computing device.
 16. The method of claim 15, furthercomprising: establishing a secure channel with a secure externalcomputing device; and transmitting the input data to the secure externalcomputing device via the secure channel.
 17. The method of claim 13,wherein securing the input data based on the secure mode comprises:storing the input data in a memory of the secure element based on thesecure mode being a sniffing mode; establishing a secure channel with asecure external computing device; and transmitting the input data to thesecure external computing device via the secure channel.
 18. The methodof claim 13, wherein the input data comprises information forauthenticating a user.
 19. The method of claim 18, wherein theinformation for authenticating the user comprises a user password. 20.The method of claim 13, wherein the input data is received from aperipheral device.